FreeScout is vulnerable to a critical remote code execution flaw where authenticated users can bypass security filters to upload malicious configuration files and take control of the server.

A Time-of-Check to Time-of-Use (TOCTOU) flaw exists in the sanitizeUploadedFileName() function. An authenticated user with upload permissions can bypass the dot-prefix check by using a zero-width space, allowing the upload of a malicious .htaccess file that leads to RCE.

This vulnerability has a CVSS score of 10, the highest possible severity. It allows any user with basic file upload permissions to escalate their privileges to full server control. This could result in the theft of all help desk data, customer communications, and total infrastructure compromise.

Immediate Action: Update FreeScout to version 1.8.207 immediately to patch the sanitization logic and prevent the upload of configuration files.

Proactive Monitoring: Inspect the web root and upload directories for hidden files, specifically .htaccess files or files containing zero-width space characters (U+200B).

Compensating Controls: Disable the execution of scripts in upload directories via web server configuration and implement strict file extension whitelisting at the web server level.

Public Exploit Available: No

The CVSS 10 rating necessitates immediate action. Organizations using FreeScout must prioritize this update to prevent internal or compromised accounts from achieving full remote code execution.